Please note that this website will be undergoing maintenance on 9/5/2010, between 12:00 AM and 3:00 AM EDT. The site may be unavailable during this time.

TJX Data Breach 10 Times More Costly Than Expected

August 16, 2007

If you ever wondered just how bad a data security breach could be, look no further than the embattled corporate headquarters of TJX Cos., the retail conglomerate in Framingham, MA that has spent a good chunk of 2007 dealing with the fallout from the largest corporate breach in the nation’s history.

For those who need a refresher: somebody hacked into TJX’s computer network over the course of a 14-month period beginning in July 2005 and ending in December 2006, when TJX computer security personnel learned of the intrusion. The hacker (or hackers) captured data from at least 45.7 million debit and credit cards used by customers of TJX’s affiliated retail stores, which include T.J. Maxx and Marshalls. Investigators have theorized that the hackers took advantage of poorly protected data being transmitted over wireless network at a Marshalls store in St. Paul.

In the months after the company went public with news of the breach in January of this year, its corporate tech gurus upgraded its computer system and its attorneys tended to various lawsuits and investigations, all while accountants tried to keep tabs on a price tag that was too nebulous to quantify (estimates released three months ago put the breach’s expected toll at $25 million, though company officials cautioned that the extent of the costs were not fully known). Now, the true price tag of the data loss is coming into clearer perspective, according to a second-quarter earnings report cited by The Boston Globe.

Drum roll please…

Actually, you saw it right there in the headline—$256 million. That’s a quarter of a cool billion. Depending on the outcome of various lawsuits and investigations, the final bill actually could approach the $1 billion mark, according to at least one analyst quoted by the Globe. 

Worse yet, if we’re to believe an estimate released in May by the compliance and database security company IPLocks, as its reported in InformationWeek, the incident could cost TJX a total of $100 per lost record, or $4.5 billion, when the less easily quantified impact of brand impairment is taken into consideration alongside fines, legal fees and notification expenses.

At this point, nobody can say definitely how much this mess will cost TJX when the ledgers are finally put to rest, but this much is certain: Breach-related expenses have already lowered TJX’s quarterly profit by $118 million, or 25 cents a share. And while TJX spokeswoman Sherry Lang tells the Globe the company believes it has identified the extent of its liability from the breach, Gartner Inc. security analyst Avivah Litan says she doesn’t think “it’s over yet.”

An important lesson to businesses evaluating their own data security protocols: Just as there are gifts that keep on giving, there are mistakes that keep on taking. Don’t let a database security breach continue to eat away at your bottom line. Investing in strong database encryption and establishing good data security practices now can potentially save you a fortune later on.

Previous alerts:


Six TJX Suspects Apprehended

TJX SEC Filing Reveals Higher Toll, Decoded Encryption

TJX Being Sued Over ID Thefts

Massachusetts Banks Now Reporting Fraud as a Result of the TJX Data Breach

TJX to Customers: Extent of Security Breach Not Clear 

©2003-2010 Identity Theft 911, LLC. All rights reserved.

.
.